Josh L. Perrymon wrote:
> We do this type of directed phishing attack all the time for our
> global clients. Instead of having an automated MITM we have scripts
> that alert us when a user visits the site and we login to the real
> site once we recieve the first token code. Then wait as the user
> submits the second code and your in..
>> The only protection mechanism that helped out was digital client
> certs. But we still got into citrix and performed a local priv
FWIW, our token client can be set to validate the SSL certificate of the
target website based on a hash of the cert delivered with the OTP and to
launch the default browser to the correct SSL-encrypted URL or throw an
'ssh-esque' warning to the user. This host/mutual authentication is
available in the open source version. Some may see it is easier than
dealing with full digital client certs.
> escalation essentially controlling the internal domain. So 2 factor
> authentication isn't enough. Or in my mind. 2Factor auth doesn't
> protect a user much more than static passwords.
I think that 2FA is not a panacea, but a tool that when used properly
solves problems. Hardware tokens aren't going to stop MITM attacks and
software tokens aren't going to stop session hijackers (if running on
the same device).
> It's all about userAwareness and Incident Response.
Aye. Defense in depth tuned by risk assessment.
nick
>> J. Perrymon
> CEO PacketFocus
> www.packetfocus.com
>>>> On 7/11/06, Brian Eaton <eaton.lists at gmail.com> wrote:
>> On 7/10/06, dpw <dainw at fsr.com> wrote:
>> > however... the article does state that the MiTM form *posted* into the
>> > citibank application to authenticate the second factor.
>> >
>> > This is the part that I was responding to - regardless of the
>> phishing lure
>> > the user saw - the form shouldn't have been able to post back into the
>> > citibank authentication system successfully. It should have been DOA
>> trying
>> > something like that.
>>>> Now you've got me wondering. The article says,
>>>> "That's because this site acts as the "man in the middle" -- it
>> submits data provided by the user to the actual Citibusiness login
>> site."
>>>> That could mean either that the web page was submitting directly to
>> citibank, or that the web page submitted to the spoofed site which
>> then forwarded the submission. One of the "features" of this phishing
>> site was that it could distinguish between legitimate business codes
>> and faked ones, which makes me think this was MITM.
>>>> Regards,
>> Brian
>>>> ----------------------------------------------------------------------------
>>>> The Web Security Mailing List:
>>http://www.webappsec.org/lists/websecurity/>>>> The Web Security Mailing List Archives:
>>http://www.webappsec.org/lists/websecurity/archive/>>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>>>>> ----------------------------------------------------------------------------
>> The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/>> The Web Security Mailing List Archives:
>http://www.webappsec.org/lists/websecurity/archive/>http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/http://www.webappsec.org/rss/websecurity.rss [RSS Feed]